Sample Internal Audit Plan in Banking Institution

Document Sample
Sample Internal Audit Plan in Banking Institution Powered By Docstoc
					Management                                                                             Section 355

Internal Audit

Appraising the effectiveness of an institution’s internal audit function is integral to evaluating an
institution’s maintenance and effectiveness of internal control, and the integrity of its financial records.

Pursuant to Section 39 of the Federal Deposit Insurance Act, the interagency guidelines for safety and
soundness state that each institution should have an internal audit function that is appropriate to its size
and nature, and scope of its activities. All large thrifts and those with complex operations should have
an internal audit function. Regardless of size, thrifts should consider the need for an internal audit
       L I N K S

                               A strong internal audit function should provide the following elements within
                               the internal audit program:
     Appendix A                •   Adequate monitoring of the institution’s internal control system.
     Appendix B
                               •   Independence and objectivity.

•   Qualified personnel.

•   Adequate testing and review of information systems.

•   Adequate documentation of tests and findings of any corrective actions.

•   Verification and review of management’s actions to address material weaknesses.

•   Review by the institution’s audit committee or board of directors of the effectiveness of the
    internal audit systems.

This Section of the Handbook describes the objectives of, and the work performed by, internal auditors
and offers guidelines for regulatory staff in evaluating their work. You should use it in conjunction with
Handbook Section 340, Internal Control.

Use of an internal audit function for control and monitoring purposes is consistent with the description
set forth by the Institute of Internal Auditors (IIA). The IIA’s Standards for the Professional Practice
of Internal Auditing state that an internal audit is:

Office of Thrift Supervision                           February 2002               Examination Handbook   355.1
Management                                                                     Section 355

    ⎯ an independent, objective assurance and consulting activity designed to add value and
      improve on an organization’s operations. It helps an organization accomplish its objectives
      by bringing a systematic disciplined approach to evaluate and improve the effectiveness of
      risk management, control, and governance processes. The practice of professional internal
      auditing goes beyond examining accounting controls, records, and financial statements, and

A savings association’s internal audit program should consist of the policies and procedures that govern
its internal audit functions, including risk-based audit programs and outsourced internal audit work, if
applicable. While smaller savings associations’ audit programs may not be as formal as those found in
larger more complex savings associations, all institutions’ internal audit program should incorporate the

•   An audit charter or mission statement that sets forth the audit department’s purpose, objectives,
    organization, authority, and responsibilities. The charter should include a discussion about the
    scope of the audit committee responsibilities and how it carries out those responsibilities. The
    audit committee or board should periodically assess the internal audit function, and take
    appropriate action to ensure its ongoing reliability and effectiveness.

•   An audit plan that addresses goals, schedules, staffing budget, reporting, and, if applicable,
    financial budgets.

•   A policies and procedures manual for audit work programs and, if applicable, risk-based
    auditing or risk assessments and outsourcing of internal audit work.

•   A program for training audit staff, including orientation and in-house and external training

•   A quality assurance program, performed by internal or external parties, to evaluate the
    operations of the internal audit department. This may include ongoing reviews of the
    performance of the internal audit activity, or periodic reviews performed through self-
    assessment, or by other persons within the organization with knowledge of internal auditing
    practices. A qualified, independent reviewer or review team outside the organization may also
    conduct external assessments.

Internal auditors should evaluate the efficiency and adequacy of the internal audit system, and test the
continuing effectiveness and maintenance of controls. An adequate internal audit function should also
incorporate the following:

•   Procedures to determine the reliability of information produced within the institution and the
    effectiveness of internal policies and procedures. For example, internal auditors often help
    formulate and revise policies and procedures to plan and implement safeguards and controls,
    including ensuring appropriate evidence and audit trails.

•   Recommendations to assist management in attaining the most efficient administration of
    institution operations. Internal auditors also evaluate the following:

355.2    Examination Handbook                 February 2002                    Office of Thrift Supervision
Management                                                                      Section 355

    ⎯ Compliance with laws and regulations.

    ⎯ Effectiveness of administrative controls and procedures.

    ⎯ Efficiency of operations (also called operational auditing).

•   Information to enable management to fulfilling its responsibilities under statutes, regulations,
    and directives such as those required by Sections 112 and 132 of Federal Deposit Insurance
    Corporation Improvement Act (FDICIA) and 12 CFR Part 363.

•   Procedures to ascertaining the adequacy of controls to minimize risk of losses. One procedure
    is for internal auditors to appraise the soundness and adequacy of accounting, operating, and
    administrative controls. The appraisal process ensures that the association records transactions
    promptly and accurately, and properly safeguards assets.

•   For example, a critical internal audit responsibility/procedure is to determine the adequacy of
    valuation allowances by reviewing the system and procedures for internal asset review and
    credit quality classifications.

Internal auditors must maintain independence within the organization. The higher the level the auditor
reports to within the organization, the greater the likelihood of achieving effective independence. The
institution’s policies should give the auditor the authority necessary to perform the job. That authority
should include free access to any records necessary for the proper conduct of the audit.

Ideally, the internal auditor should report directly to an audit committee comprised of non-employee
members of the board of directors. Reporting at this level should allow the auditor the greatest access
to all levels of the institution, and assure prompt and independently objective consideration of audit
results. It also enables the auditor to assist the directors in fulfilling their responsibilities.

The board of directors or its audit committee should regularly receive a report of all audit activity. This
report should include the status of all audits on the internal audit schedule, and summaries of all audits
completed during the period including audit conclusions. In addition, this report should provide the
resolution status of previous internal audit findings and recommendations. If the internal auditor does
not report to the board or its audit committee, the reporting line should be to an individual with no
financial or operational responsibilities. Inadequate independence of internal auditors is cause for
critical OTS examination report comments. Instances in which an internal auditor reports to
management may warrant further consideration and assurance that independence of the internal auditor
is not compromised.

Internal auditors’ responsibilities and qualifications may vary, depending on the size of the institution
and complexity of operations. The internal audit function is generally a full-time job of an individual or
group, but may be a part-time job in smaller institutions. The institution may also outsource some or all
of its internal audit work.

Office of Thrift Supervision                   February 2002                Examination Handbook     355.3
Management                                                                       Section 355

Large institutions often designate a chief auditor to supervise the work of an internal audit staff. In
small institutions, the responsibility for internal audit may rest with officers or other employees
designated as part-time auditors.

Small institutions with few employees and less complex operations may not have an internal auditor on
staff. Nevertheless, the institution can ensure that it maintains an objective internal audit function by
implementing a comprehensive set of independent reviews of significant internal controls. The person
given this task should not also be responsible for managing or operating those controls.

Financial institutions are increasingly contracting with independent public accounting firms or other
outside professionals to perform work traditionally conducted by internal auditors. These arrangements
are frequently referred to as “internal audit outsourcing,” “internal audit assistance,” “audit
integration,” “audit co-sourcing,” or “extended audit services.” Outsourcing arrangements create a
variety of safety and soundness issues that will vary with the size, complexity, scope of activities, and
risk profile of the bank and the nature of the outsourcing arrangement.

Financial institutions generally enter into internal audit outsourcing arrangements to gain operational or
financial efficiencies by engaging a vendor to:

•   Assist its internal audit staff when the bank’s internal auditors lack the expertise required for an
    assignment. Such assignments are most often in specialized areas such as information
    technology, fiduciary, mortgage banking, and capital markets activities. The vendor normally
    performs only certain agreed-upon-procedures in specific areas and reports findings directly to
    the institution’s internal audit manager.

•   Perform the entire internal audit. The institution’s only internal audit staff may be an audit
    manager. The vendor usually assists the board and audit manager in determining the critical
    risks to be reviewed during the engagement, recommends and performs audit procedures
    approved by the internal auditor, and jointly with the internal auditor, reports significant
    findings to the board of directors or its audit committee.

In any outsourced arrangement, the institution should meet the following guidelines:

•   An employee (generally an internal auditor or internal audit manager or director) who is
    independent and responsible should manage the relationship with the vendor.

•   The directors have the responsibility for ensuring that any outsourcing arrangement is
    competently managed and that it does not detract from the scope or quality of an institution’s
    internal audit work, overall internal control structure of the institution, or audit and control

•   The board and management perform sufficient due diligence before entering into the
    outsourcing arrangement to verify the vendor’s competence and objectivity, and during the

355.4     Examination Handbook                 February 2002                     Office of Thrift Supervision
Management                                                                       Section 355

    arrangement to determine the adequacy of the vendor’s work and compliance with contractual

•   The arrangement does not compromise the role or independence of a vendor if the vendor also
    serves as the institution’s external auditor.

If the institution outsources the internal audit function, or any portion of it, determine the effectiveness
of and reliance to be placed on the outsourced internal auditing. You should obtain copies of the
following documents:

•   Outsourcing contracts or engagement letters.

•   Outsourced internal audit reports and associated work papers.

•   Policies on outsourced audit, if any.

Review the outsourcing contracts, engagement letters, work papers, and policies to determine whether
they adequately do the following:

•   Set the scope and frequency of work the outside vendor will perform.

    ⎯ Outsourced internal audit reports and internal audit work papers should be adequately
      prepared in accordance with the audit program and the outsourcing agreement.

    ⎯ Work papers should disclose the specific program steps, calculations, or other evidence that
      supports the procedures and conclusions set forth in the outsourced reports.

    ⎯ The scope of the outsourced internal audit procedures should be adequate regarding the
      procedures and testing performed, and the internal audit manager should approve the

    ⎯ The institution should revise the scope of outsourced audit work appropriately when the
      institution’s environment, activities, risk exposures, or systems change significantly.

•   Set the manner and frequency of reporting to the institution’s audit manager, senior
    management, and audit committee or board of directors about the status of work.

    ⎯ The institution should subject the vendor to objective performance criteria such as whether
      an audit is completed on time and whether overall performance meets the objectives of the
      audit plan.

    ⎯ Key institution employees and the vendor should clearly understand the lines of
      communication and how the institution will address internal control or other problems
      noted by the vendor.

Office of Thrift Supervision                    February 2002                Examination Handbook     355.5
Management                                                                      Section 355

    ⎯ Results of outsourced work should be well documented and reported promptly to the board
      of directors or its audit committee by the internal auditor, the vendor, or both jointly.

•   Establish a process for changing terms of the service contract, especially for expansion of audit
    work if the auditor finds significant issues.

•   State that internal audit reports are the property of the institution, that the vendor will provide
    copies of related work papers the institution deems necessary, and that authorized employees of
    the institution will have reasonable and timely access to work papers prepared by the outside

•   Identify the locations of outsourced internal audit reports and related work papers.

•   Grant OTS examiners immediate and full access to outsourced internal audit reports and related
    work papers.

•   Prescribe an alternative dispute resolution process for determining who bears the cost of
    consequential damages arising from errors, omissions, and negligence.

•   State that outside vendors, if subject to SEC or other independence guidance, such as that
    issued by the AICPA, will not perform management functions, make management decisions, or
    act or appear to act in a capacity equivalent to that of an employee of the institution.

•   Review the performance and contractual criteria for the vendors and any internal evaluations of
    the vendor, and determine if the board or audit committee performed sufficient due diligence to
    satisfy themselves of the vendor’s competence before entering into an outsourcing

•   Determine if procedures exist to ensure that the vendor maintains sufficient expertise to
    perform effectively throughout the arrangement.

•   Determine whether the vendors are independent, and disclose any potential conflicts of interest.
    If a vendor is an independent public accountant who also performs the institution’s external
    audit, potential conflicts of interest may exist.

    ⎯ The board should be familiar with AICPA Interpretation 102-2 about conflicts of interest
      under AICPA Rule 102, which discusses integrity and objectivity of independent public
      accountants performing outsourced internal audit work.

If you determine that you cannot rely on the vendor’s work, discuss that assessment with the Regional
Accountant, the board, bank management, and the affected party before finalizing the report of

355.6    Examination Handbook                 February 2002                     Office of Thrift Supervision
Management                                                                      Section 355

Independence Issues and Outsourcing
The institution’s board of directors, management, auditor, and OTS should pay particular attention to
independence issues if both of the following occur:

•   A savings association, holding company, or affiliate outsources internal audit work to its
    external auditor, and

•   The internal audit work relates to internal accounting controls, financial systems, or financial

Management should address independence issues and any other potential conflicts of interest that may
arise when one firm performs both internal and external audit services.

The reason for the concern is that an auditor generally relies, at least to some extent, on the internal
control system when performing the external audit. If the outside vendor that provides the internal
audit services is also the external auditor, then the external auditor could be relying on his or her own
work. Thus, the arrangement introduces significant questions about the independence of the external
auditor, both in appearance and in fact. Such an arrangement may compromise the role or
independence of a vendor. In cases where the same firm performs internal and external audit work,
institutions may consider requesting that the audit firm use different accounting firm employees to
perform the internal audit and external audit duties. (See Examiner Guidance in Appendix A.)

OTS follows the Securities and Exchange Commission (SEC) regulations that impose substantial
requirements and limitations on a savings association, a holding company, or an affiliate that outsource
any internal audit work to its external auditor. OTS regulation 12 CFR Part 562.4 states that an
independent public accountant must perform the external audit, whether required or otherwise, of a
savings association, a holding company, or affiliate. Under this regulation, independent public
accountants are subject to the independence requirements and interpretations of the SEC and its staff.

The SEC independence rules (17 CFR Parts 210 and 240) include substantial requirements and
limitations with respect to providing any internal audit services to external audit clients. The effective
date related to internal audit-related services is August 5, 2002.

Under the SEC independence rules, when the external auditor provides any internal audit services
(including both (a) internal audit services related to internal accounting controls, financial systems, or
financial statements, and (b) operational internal audit services) for an external audit client, the SEC
requires management to do the following:

•   Acknowledge in writing to the external auditor and the audit committee (or if there is no such
    committee, then the board of directors) management’s responsibility to establish and maintain a
    system of internal accounting.

•   Designate a competent employee or employees, preferably within senior management, to be
    responsible for the internal audit function.

Office of Thrift Supervision                   February 2002                Examination Handbook    355.7
Management                                                                      Section 355

•   Determine the scope, risk, and frequency of internal audit activities, including those the external
    auditor will perform.

•   Evaluate the findings and results arising from the internal audit activities, including those the
    external auditor performed.

•   Evaluate the adequacy of the internal audit procedures performed, and the findings resulting
    from the performance of those procedures, by among other things, obtaining reports from the
    external auditor.

•   Not rely on the external auditor’s work as the primary basis for determining the adequacy of its
    internal controls.

In addition, where the external auditor provides internal audit services related to internal accounting
controls, financial systems, or financial statements for an external audit client, the SEC limits these
services to an amount not greater than 40 percent of the total hours expended on such internal audit
activities in any one fiscal year. However, this limitation does not apply where the client company has
less than $200 million in total assets.

The AICPA also provides a list of activities that impair independence for its members. OTS considers
the AICPA guidance on independence to be applicable to all independent public accountants
performing external or internal audit work.

If you find sufficient reason to question a vendor’s independence, objectivity, competence, or failure to
meet OTS and SEC standards, discuss the situation with the Regional Accountant. If appropriate,
request through the institution that the vendor make additional work papers available, and meet with
the vendor to discuss concerns.

To provide uniform guidance on the internal audit function and outsourcing, the Office of the
Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Federal Reserve Board,
and the Office of Thrift Supervision issued the Interagency Policy Statement on the Internal Audit and
Its Outsourcing on December 22, 1997. (Although the text of this handbook section incorporates the
guidance, see Appendix A for the full text of the Interagency Policy Statement.)

An audit manager, whether working alone or with staff, should possess the following qualifications:

•   Academic or other credentials comparable with those of other institution officers with major
    responsibilities in the organization.

•   Commitment to a program of continuing education and professional development.

•   Audit experience, and organizational and technical skills commensurate with the responsibilities
    including proficiency in applying internal audit standards, procedures, and techniques.

355.8    Examination Handbook                 February 2002                     Office of Thrift Supervision
Management                                                                       Section 355

•   Strong oral and written communication skills.

•   Ability to properly supervise each audit and provide suitable instructions to help meet audit

To understand fully the flow of data and the underlying operating procedures, the internal audit
function manager must have proper education, training, and understanding of key areas of bank
operations. College courses, various industry sponsored courses, and significant prior work experience
in various departments of an institution may provide adequate education.

Certification as a certified internal auditor or a certified public accountant may serve as further evidence
of having the appropriate credentials. The internal audit function manager must maintain a program of
continuing education.

The audit staff should also possess certain minimum qualifications and skills commensurate with the
complexity of the institution’s operations. Any member of the audit staff in a supervisory position
should possess adequate knowledge of audit objectives and an understanding of the audit procedures
performed by the staff.

The final measures of internal auditors’ competence and performance are the quality of the work
performed, and the ability to communicate the results of that work. The adequacy of the audit program,
the quality and completeness of internal audit work papers, and the clarity and comprehensiveness of
internal audit reports reflect evidence of an auditor’s competence and performance.

The overall audit plan, which consists of various departmental and functional audit programs, must
attain the audit committee or the board of director’s desired objectives. The audit committee or board
should approve the audit plan at least annually. In assessing the adequacy of the annual audit plan and
completed audit programs, evaluate the following areas:

•   The audit plan’s scope, frequency, and depth including any internal rating system as it relates to
    the institution’s size, the nature and extent of its banking activities, and the institution’s risk

•   Board of directors’ or audit committee minutes, or summaries thereof. Determine whether the
    audit committee or board of directors formally approves the internal audit function’s objectives,
    the audit program and schedule, and monitors the activities of the internal audit department to
    follow the approved programs and schedules. The audit committee or the board should
    approve any significant changes to the program or schedule.

•   Management’s records supporting any assertions concerning the effectiveness of internal
    controls over financial reporting and compliance with designated laws and regulations.
    Management should set its standards for measuring the adequacy and effectiveness of internal
    controls over financial reporting based on risk analyses or assessments, control assessments,

Office of Thrift Supervision                    February 2002                Examination Handbook     355.9
Management                                                                        Section 355

    audit report findings, and other various resources including established standards such as those
    set by the AICPA.

•   Content of the individual audit programs.

•   Documentation of the work performed.

•   Conclusions reached and reports issued.

•   Procedures for follow-up to ensure the association take corrective action.

A characteristic of a good internal audit plan is a proactive approach. It should have an early warning
system to detect and evaluate risks, determine scope, frequency, and depth of audit procedures needed,
and adjust the audit plan accordingly.

In assessing risk, the auditor should consider the following factors:

•   The nature and relative size of the specific operation and related assets and liabilities, including
    off-balance sheet transactions.

•   The existence of appropriate policies and internal control standards.

•   The effectiveness of operating procedures and internal controls.

•   The potential materiality of errors or irregularities associated with the specific operation.

Audit programs are an integral part of the audit work papers, and serve as the primary evidence of the
audit procedures performed. Before developing or revising the audit program, the internal auditor
should have a thorough understanding of the operations of the department or function. The auditor
should prepare or revise a written audit program for each area of an institution’s operations before
beginning the audit work.

Each program should contain a clear, concise description of the internal control objectives, degree of
risk if internal controls fail, and the procedures to follow in testing such controls. An individual audit
program may encompass several departments/functions of an institution, a single department, or
specific operations within a department.

The effectiveness of the overall audit plan depends on a variety of factors. To plan effectively, the
auditor must consider the factors described above, along with many of those outlined in Examination
Handbook Section 060, Examination Strategy, Scoping, and Management.

Most audit programs should address the following audit procedures:

•   Surprise audits where appropriate.

•   Maintenance of control over records selected for audit.

355.10    Examination Handbook                  February 2002                     Office of Thrift Supervision
Management                                                                     Section 355

•   Review and evaluation of the institution’s policies and procedures and the system of internal

•   Reviews of laws, regulations, and rulings.

•   Sample selection methods and results.

•   Proof of reconciling detail to related control records.

•   Verification of selected transactions and balances through examination of supporting
    documentation, direct confirmation and appropriate follow-up of exceptions, and physical

The internal audit work papers must document the work performed by the auditor. Work papers
should contain completed audit work programs and analyses that clearly indicate the procedures
performed, the extent of testing, and the basis for the conclusions reached.

Upon completion of the procedures outlined in audit programs, the internal auditor should be able to
reach conclusions that will satisfy the audit objectives. The internal auditor must effectively interpret
these conclusions documented in the work papers. Audit report findings must be consistent with the
documented conclusions. Reports should include, when appropriate, recommendations for remedial
action. The overall audit plan must also provide for follow-up procedures to ensure that the association
takes corrective action.

The internal auditor must communicate all findings and recommendations in a clear, concise manner,
pinpointing problems and suggesting solutions, and submit reports as soon as practicable. Auditors
should route reports to those officials who have both the responsibility and authority to implement
suggested changes. If full audit reports do not go to the board of directors, the auditor should prepare
summary reports for the board’s review. Prompt and effective management response to the auditor’s
recommendations is the final measure of the effectiveness of the audit program. The auditor should
inform the audit committee or board of management’s responses to audit findings and

Information Systems and Technology Audit Review
The institution’s internal audit program should have qualified personnel review, test, and evaluate the
information systems and technology environment. The Federal Financial Institutions Examination
Counsel (FFIEC) Information Technology Handbook contains examination policies and procedures
that govern the assessment of the information systems and technology audit function by all financial
institution regulators.

The internal audit program should provide audit coverage of significant information systems and
technology risk exposures. This would include systems development projects and computer production
activities involving on-premise computing (for example, on stand-alone and networked
microcomputers), in-house computer centers, and third-party vendors (for example, service bureaus).

Office of Thrift Supervision                     February 2002             Examination Handbook   355.11
Management                                                                      Section 355

The scope of the internal audit program should also address information system and technology-related
threats from outside sources (for example, unauthorized access to the institution’s or their service
provider’s on-line banking operation).

In May 1993, the Board of the FDIC approved the initial regulations and guidelines implementing the
management reporting, audit committee, and annual independent audit requirements of § 112 of
FDICIA. Congress amended the statute by passing the Economic Growth and Regulatory Paperwork
Reduction Act (EGRPRA) of 1996. The regulations apply to insured depository institutions with total
assets of $500 million or more. The requirements for these institutions include the following:

•   Reporting to the FDIC and OTS (when it is the primary regulator) on internal control over
    financial reporting and compliance with certain laws and regulations, as well as filing annual
    audited statements.

•   An annual audit by an independent public accountant (external auditor).

•   An audit committee consisting of outside directors, who must be independent of management.
    For institutions holding over $3 billion in assets, two of the outside directors must have banking
    and financial management expertise, neither can be a large customer of the institution, and they
    must have independent access to the audit committee’s outside counsel.

Management Assertions
To assist management in determining strategies related to management’s reporting on both the
effectiveness of internal control over financial reporting and compliance with designated laws such as
FDICIA and regulations, the internal auditor may:

•   Test the effect of key controls identified as a basis for management’s assertions.

•   Perform agreed-upon procedures to test compliance with laws and regulations.

•   Establish a system to monitor the internal control system and identify changes needed in the
    control environment.

Management may use the internal auditor’s work to facilitate its assertion that the internal control over
financial reporting is effective. The internal auditor’s procedures must be sufficient for management to
rely on them for such assertions.

The external auditor performs examination procedures to attest to management’s assertion that the
internal control over financial reporting is functioning effectively. The external auditor may consider
the work done by the internal auditor as part of the auditing procedures.

355.12   Examination Handbook                 February 2002                     Office of Thrift Supervision
Management                                                                    Section 355

Your review and evaluation of the internal audit function is key in determining the scope of the
examination. You should separately determine the adequacy and effectiveness of the audit program for
each area of examination interest.

The internal auditor’s work may provide useful information in setting the scope of the examination.
You should judge the independence and competence of the internal auditor before addressing the
overall adequacy and effectiveness of audit programs, and the work performed. If, for example, you
conclude that the internal auditor possesses neither the appropriate independence nor the competence,
you cannot rely upon the work for scoping purposes.

To test the adequacy of the internal audit work, follow the Internal Audit Program Level I and II
procedures. Level I procedures describe the use of the Internal Audit Questionnaire.

Under Level II procedures, you may review work papers that document and test procedures performed
by internal auditors. In some cases, such a review may be sufficient to substantiate conclusions about
the quality and reliability of the internal audit function. The Internal Auditor Questionnaire from the
PERK package should provide pertinent information. See Appendix B. Findings from the internal audit
work paper reviews will also help you determine whether further verification procedures and testing are
necessary under Level III procedures.

After reviewing work papers and testing procedures, report the following weaknesses in internal
audit-related management and internal controls to the Regional Accountant:

•   Absence of or inadequacy of an internal audit function in a large institution or an institution
    with complex operations.

•   An inadequate internal audit plan.

•   Instances in which the internal auditor does not have full access to records or otherwise lacks

•   Lack of internal auditor competence and/or expertise.

•   Instances in which the internal auditor reports to operational officers rather than the board of
    directors or audit committee of outside directors.

•   Audit committees not properly established or non-functioning, such that they are unable to
    initiate corrective action.

Other Internal Audit Resources
The institution may also provide you with a Global Audit Information Network (GAIN) report
purchased from the Institute of Internal Auditors or a similar product by another vendor. Generally

Office of Thrift Supervision                  February 2002               Examination Handbook   355.13
Management                                                                           Section 355

these products are Internet-based and may provide information about general organization statistics,
audit staff profiles, quality assurance practices, audit committee information, scope of internal audit
activities, audit planning, risk assessments, and other audit information you may find useful. OTS does
not endorse these products or require institutions to use them, but if such information is available,
consider requesting it to review for scoping your examination.


Code of Federal Regulations (12 CFR)
Part 562                      Regulatory Reporting Standards

Internal Audit Guidance
*The Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing

*Financial Managers Society’s Financial Institutions Internal Audit Manual, 2000-200

Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of
Corporate Audit Committees (1999)
* Internal audit staff may have these documents in-house.

American Institute of Certified Public Accountants

Statements on Auditing Standards (U.S. Auditing Standards (AU)
No. 41                        Working Papers, Providing Access to or Photocopies of Working Papers to a
                              Regulator, AU 339)

No. 55                        Consideration of the Internal Control Structure in a Financial Statement Audit
                              (AU 319)

No. 58                        Reports on Audited Financial Statements (AU 508)

No. 60                        Communication of Internal Control Structure Related Matters Noted in an
                              Audit (AU 325 and 9325)

No. 61                        Communication with Audit Committees (AU 380)

No. 78                        Consideration of Internal Control in a Financial Statement Audit: An
                              Amendment to SAS 55 (AU 319)

No. 82                        Consideration of Fraud in a Financial Statement Audit (AU 316)

No. 89                        Audit Adjustments (AU 420)

355.14      Examination Handbook                            February 2002           Office of Thrift Supervision
Management                                                                         Section 355

No. 90                         Audit Committee Communications (AU 380)

No. 94                         The Effect of Information Technology on the Auditor’s Consideration of
                               Internal Control in a Financial Statement Audit (AU 319)

Office of Thrift Supervision                        February 2002              Examination Handbook     355.15

Shared By:
Description: Sample Internal Audit Plan in Banking Institution document sample